added documentation for templating feature

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
external-secrets · Dec 20, 2023 · d16300c · d16300c
1 parent b6dc2c5
commit d16300c
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 1 deletion.
diff --git a/docs/api/pushsecret.md b/docs/api/pushsecret.md
@@ -3,8 +3,16 @@
 The `PushSecret` is namespaced and it describes what data should be pushed to the secret provider.
 
 * tells the operator what secrets should be pushed by using `spec.selector`.
-* you can specify what secret keys should be pushed by using `spec.data`
+* you can specify what secret keys should be pushed by using `spec.data`.
+* you can also template the resulting property values using [templating](#templating).
 
 ``` yaml
 {% include 'full-pushsecret.yaml' %}
 ```
+
+## Templating
+
+When the controller reconciles the `PushSecret` it will use the `spec.template` as a blueprint to construct a new property.
+You can use golang templates to define the blueprint and use template functions to transform the defined properties.
+You can also pull in `ConfigMaps` that contain golang-template data using `templateFrom`.
+See [advanced templating](../guides/templating.md) for details.
diff --git a/docs/guides/templating.md b/docs/guides/templating.md
@@ -112,6 +112,16 @@ You can achieve that by using the `filterPEM` function to extract a specific typ
 {% include 'filterpem-template-v2-external-secret.yaml' %}
 ```
 
+## Templating with PushSecret
+
+`PushSecret` templating is much like `ExternalSecrets` templating. In-fact under the hood, it's using the same data structure.
+Which means, anything described in the above should be possible with push secret as well resulting in a templated secret
+created at the provider.
+
+```yaml
+{% include 'template-v2-push-secret.yaml' %}
+```
+
 ## Helper functions
 
 !!! info inline end

diff --git a/docs/snippets/full-pushsecret.yaml b/docs/snippets/full-pushsecret.yaml
@@ -12,6 +12,20 @@ spec:
   selector:
     secret:
       name: pokedex-credentials # Source Kubernetes secret to be pushed
+  template:
+    metadata:
+      annotations: { }
+      labels: { }
+    data:
+      best-pokemon: "\{\{ .best-pokemon | toString | upper \}\} is the really best!"
+    # Uses an existing template from configmap
+    # Secret is fetched, merged and templated within the referenced configMap data
+    # It does not update the configmap, it creates a secret with: data["alertmanager.yml"] = ...result...
+    templateFrom:
+      - configMap:
+          name: application-config-tmpl
+          items:
+            - key: config.yml
   data:
     - match:
         secretKey: best-pokemon # Source Kubernetes secret key to be pushed

diff --git a/docs/snippets/template-v2-push-secret.yaml b/docs/snippets/template-v2-push-secret.yaml
@@ -0,0 +1,18 @@
+{% raw %}
+apiVersion: external-secrets.io/v1beta1
+kind: PushSecret
+metadata:
+  name: template
+spec:
+  # ...
+  template:
+    engineVersion: v2
+    data:
+      token: "{{ .token | toString | upper }} was templated"
+  data:
+    - match:
+        secretKey: token
+        remoteRef:
+          remoteKey: create-secret-name
+          property: token
+{% endraw %}